Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
z
Weaving the three critical attributes –Data Integrity, Data Quality and Data Security
Namrata BelekarSIRO Clinpharm Pvt. Ltd
z
Index
1. Regulatory bodies2. Basics of 3 attributes3. Clinical data- Guidance for industry4. Fraud and Misconduct5. Violations
1. Fraud cases2. FDA Warnings3. HIPAA Violations
6. HIPAA Action plan7. Application level safeguards8. Data level safeguards9. How to detect frauds? Detecting signals10.Key takeways
z
Regulatory bodies
FDA
PMDA
EMA
DCGI
Industry Guidelines
Data Integrity
Data Quality
Regulatory bodies
Data Security
…………
z
Data Integrity
Data integrity refers to the correctness and completeness of data (ALCOA)Data integrity types – Entity integrity and Referential integrity
Data Quality
Data Protection
Firewall
Password protected
Authorizedaccess
Physical cabinet
Enter
Clean
Improve
Monitor
Analyze
Data Security
z
FDA’s Acceptance of Electronic Source Data
• Electronic data must meet the same fundamental elements of data quality and integrity (complete and consistent) expected of paper records.
• Acceptance depends on FDA’s ability to verify it.
Data
IntegrityData
Quality
Verification by FDA
z
So, what if these guidelines are not followed?
o What are Fraud cases? GCP findings by MHRA?o What are FDA warning letters?o What are the HIPAA violations?
z
Case 1
• Promotion of a best-selling antidepressants for unapproved uses
• Fails to report safety data
• Paid $3 billion in fines
Case 2
• 18-year-old subject participated in a gene therapy study
• No adverse events reported
• Study team eager to achieve success
• Subject died as a result of serious toxicity
Fraud cases in Pharma
z
GCP inspections- Critical finding by MHRA - 2017
1. Computer System Validation(CSV) documentation of eCRF software release- Final version of User and Design specification, Traceability matrix were not available
2. TMF records keeping/ Essential documents – Documetns were named incorrectly, misfiling, duplication ,etc
3. Subjects Enrollment by Principal investigator(PI)- 20% enrolled were ineligible due to previous medical history and medication records
4. ePRO diary data updated based on DCF were not acceptable as it was lacking the audit trail in database.
z
FDA Warning letters– 2019
4
Case Violation/ Non-compliance (post receipt of Form 483s inappropriate responses)
Company 1 • Violations in cGMP in HP plant (under FD&C Act)• Marketed batches exposed to temperatures outside the
labelled storage conditions.
Company 2 • Misbranded and unapproved new drug sale of mifepristone with misoprostol, labelled for the termination of pregnancy.
FDA Warning letter- Official message from US FDA to manufacturer or other organization if form 483s CAPA are inappropriate, and demands prompt voluntary compliance with the Act.
z
HIPAA Violations – Case studies
CompanyName
Reason Penalty Corrective action
Company 1
A laptop bag was stolen from an employee’s car which contained: • employee’s computer • unencrypted backup media, which
contained the names, addresses, dates of birth, SSN, and clinicalinformation of approximately 55,000 individuals
$7,50,000 ▪ Develop an organization-wide risk analysis and risk management plan; and
▪ Train appropriate employees on all policies and procedures newly developed or revised pursuant to its corrective action plan.
Company 2
An unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the ePHI of 9,497 individuals
$15,50,000
z
Preparing for how to respond to an incident after it happens can be just as important as how an entity prepares itself to prevent incidents.
- from HIPAA lessons learnt
z
HIPAA Action plan
➢ Protection from Malicious Software- Hackers: Conduct risk analysis to identify such threats and vulnerabilities within environment, and implement appropriate security measures (e.g., patching, firewalls, data encryption methods) through their risk management plans (RMP).
➢ Business Contingency Plan(BCP): Natural disasters as well continuing cyberattacks, to ensure effective recovery in the healthcare sector following disasters.
➢ Access Control: to ensure user access levels are appropriate and support core functions➢ Information System Activity Review: To help identify malicious activity and alert the
organization of an intruder➢ Audit Controls with effective review process (Quality): help identify and mitigate threats
from malicious insiders➢ Security Incident Procedures: Ineffective procedure can prolong a breach and actions
perpetrated by malicious actors. Well-tested security incident procedures can prepare an organization to effectively respond to all manner of security incidents
z
Computerized Systems Used in Clinical Investigations
Internal Safeguards External Safeguards
Individual login Account System
Audit trail Documentation
Application SOPs Training
z
Other Safeguards.. 21 CFR Part 11 (2003)
Electronic signatures should consists of the following aspects:
a) Printed name of the signerb) Date and time when the signature was executedc) Meaning (such as review, approval, or
authorship) associated with the signature or In/out details
d) Each eSign should be unique to one individual
• Establishes the requirement under which the FDA accepts electronic records & electronic signatures as equivalent to paper-based records & handwritten signatures
• Permits verification that electronic information submitted to the Agency accurately represents the original source data
z“Rather fail with honor than succeed by FRAUD.”
-Sophocles
z
Company reputation
Data validity compromisedSubmission jeopardized
Failed to maintain study compliance
Failed to monitor study progress
CROSponsor
Submission of false information
Additional costs Business reputation
FinesLegal expensesDisqualification License revocation
Subject’s safety at risk
5
z
Visit
Originals
AssessmentInformed
Consent Form
Patient ABC
Visits on weekends and holidays; Site location?
Meeting schedules too perfectly
-100 % Dose compliance -Perfect efficacy scores for all
subjects
-No SAEs reported-Less records of MH or conmed
-No variability in findings of lab tests, vitals---Too many PDs
Same date/ time of ICF of many subjects in a site/ country
- Identical DOB-Multiple sites
registration
How to identify Frauds? – Detecting signals Aspects to be focused on Ongoing basis… Data level
z
1. Comparison of data– using VLOOKUP, SORT, IF
condition excel functions
Example:• Central lab load v/s AEs• Eligibility v/s randomization
2. Same Same Different – using SORT, IF ()Used to find duplicate valuesExample: Lab values, ECG values across visits
How to detect these signals?- Mining the data
z
3. 80-20 principle - Can be applied to find out query trends, for recruitment rates
4. Audit trail report analysis -• Entry by any other personnel than investigator/ site staff•Can act as objective evidence when it comes to uncovering fraud
5. Visualizing data trends
0
50
100
150
01 02 03 04 05 06 07 08 09 10
No. of queries
How to detect these signals?- Mining the data
z
Aspects to be focused on Ongoing basis… Data level
•Program edit checks ensuring all scenarios and validate it
•Incorporate prompts, edit checks, derived fields for data repopulation.
•CDASH compliant for standardized analysis Database
• Provide status reports to reduce the TAT like data entry, answered queries, SAEs noted, login frequency
•Metrics to capture missing data, queries, and email notifications that triggered to site staff for inaccurate, missing data should be configured.
Study data
z
Conclusion - Weaving these 3 attributes…Key takeways
CDM should ensure each database, eCOA app, medical device, other applications used, to be compliant with the following:1. Industry guidelines2. Study protocol requirements3. Operationally feasible to use4. End points can be derived from the collected data
❖Be responsible for data, collaborate with all the stakeholders from the
beginning and ensure protection at all levels
z
Thank you